AI Agent deployed on App Service returns “Operation returned an invalid status code 'Unauthorized'” when replying through Azure Bot Service

Question

AI Agent deployed on App Service returns “Operation returned an invalid status code 'Unauthorized'” when replying through Azure Bot Service

Lightning Minds 0

I’m hosting a FastAPI-based AI Agent backend on Azure App Service (Python) and connected it to Azure Bot Service. The bot receives messages successfully from Web Chat and the Bot Framework service, but every time it tries to send a reply, I get this error:

botbuilder.schema._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'

This happens inside:

await turn_context.send_activity(agent_reply)

This only affects outbound messages (inbound works fine).

I’ve already verified the following:

The app is registered in Microsoft Entra ID and the same MicrosoftAppId is configured in both the Bot Channel Registration and the App Service.
MicrosoftAppPassword uses the correct Secret Value.

The app is set to multi-tenant: “Accounts in any organizational directory and personal Microsoft accounts.”

API permissions include openid, User.Read, and profile (Delegated) with admin consent granted.

Region trust has been added in code:
```
  MicrosoftAppCredentials.trust_service_url("https://smba.trafficmanager.net/amer/")
```
The App Service is deployed in Central US, and the Bot Service is Global.
Token test for https://api.botframework.com/.default returns 200 OK and valid tokens.

Despite this, outbound messages fail with Unauthorized.

When the app was single-tenant, I got:

AADSTS700016: Application with identifier '...' was not found in the directory 'Bot Framework'

After switching to multi-tenant, I get:

Operation returned an invalid status code 'Unauthorized'

So token acquisition now succeeds, but the outbound call from the Bot Adapter still fails authentication.

Any help would be much appreciated. Thanks.

Nikhil Jha (Accenture International Limited) 2,220 Reputation points Microsoft External Staff Moderator

2025-10-26T16:16:36.24+00:00

Hi Podduturi, Snigdha Reddy and shweta naphade,

Are you the original poster for this thread from different id - Lightning Minds?

Could please clarify while going ahead?
And Lightning Minds can you please reply in private message.

1 answer

Your answer

Nikhil Jha (Accenture International Limited) 2,220 Reputation points Microsoft External Staff Moderator

2025-10-26T16:16:36.24+00:00

Hi Podduturi, Snigdha Reddy and shweta naphade,

Are you the original poster for this thread from different id - Lightning Minds?

Could please clarify while going ahead?
And Lightning Minds can you please reply in private message.

Answer 1

Sina Salam 25,761 Volunteer Moderator

Hello Lightning Minds,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your AI Agent deployed on App Service returns “Operation returned an invalid status code 'Unauthorized'” when replying through Azure Bot Service.

To fix this, ensure your MicrosoftAppId and MicrosoftAppPassword in App Service exactly match those in your Bot Channel Registration and App Registration. Your adapter should use the correct credentials as shown below:

from botbuilder.core import BotFrameworkAdapterSettings, BotFrameworkAdapter
import os
settings = BotFrameworkAdapterSettings(os.getenv("MicrosoftAppId"), os.getenv("MicrosoftAppPassword"))
adapter = BotFrameworkAdapter(settings)

Before sending any message, dynamically trust the serviceUrl received from the incoming activity instead of hardcoding a region, as shown:

from botframework.connector.auth import MicrosoftAppCredentials
MicrosoftAppCredentials.trust_service_url(turn_context.activity.service_url)

Next, verify that your bot obtains a valid token for the correct audience by running:

from botframework.connector.auth import MicrosoftAppCredentials
import asyncio, os
async def test_token():
    creds = MicrosoftAppCredentials(os.getenv("MicrosoftAppId"), os.getenv("MicrosoftAppPassword"))
    print(await creds.get_access_token())
asyncio.run(test_token())

When decoded, the JWT’s aud claim must be https://api.botframework.com/. If not, manually request the token using:

curl -X POST -d "grant_type=client_credentials&client_id=<APPID>&client_secret=<SECRET>&scope=https://api.botframework.com/.default" https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token

to validate the correct scope and endpoint.

Additionally, confirm that Managed Identity is not conflicting with App ID based authentication, and that your Bot Channel Registration and App Service regions align (for example, both in Central US or Global). Use the latest botbuilder-core SDK (v4.15+) to avoid known token audience bugs. For multi-tenant configurations, grant admin consent to https://api.botframework.com/.default and ensure all external tenants where the bot operates have approved the app.

If issues persist, enable debug logs for the connector to capture the outbound HTTP response body for sub-error details. You can review official Microsoft documentation on Bot Framework authentication and token acquisition: - https://free.blessedness.top/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-authentication and https://free.blessedness.top/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems for more details.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

shweta naphade 0 Reputation points

2025-10-23T00:03:56.3633333+00:00

We will look into your solution and get back to you with success or more questions if this doesnt work. thanks. We are trying now.
Lightning Minds 0 Reputation points

2025-10-23T20:12:14.64+00:00
Hi Sina,

Thank you for the detailed response, I really appreciate it.

I went through all of your suggestions carefully:

Verified that the MicrosoftAppId and MicrosoftAppPassword in App Service exactly match the App Registration and Bot Channel Registration.

Updated the adapter to dynamically trust the incoming serviceUrl using:

MicrosoftAppCredentials.trust_service_url(turn_context.activity.service_url)

Confirmed token acquisition works — both the Python test snippet and manual curl request return valid tokens with audience https://api.botframework.com/.

Verified both the App Service and Bot resource are in compatible regions (Central US / Global).

Using the latest botbuilder-core SDK (v4.15+).

Tried both configurations:

Using App ID + secret authentication

And **Managed Identity** for the App Service

In both cases, the bot receives inbound messages correctly but still fails on replies with:

botbuilder.schema._models_py3.ErrorResponseException: Operation returned an invalid status code 'Unauthorized'

At this point, I’m wondering if the issue could be related to the bot still showing as Single Tenant while the App Registration is Multi-Tenant, or if Managed Identity affects token validation somehow.

Also, is there a more suitable alternative for this setup, such as deploying through Azure AI Foundry’s Agent Service instead of a standard App Service? I’m open to moving to a newer or more stable architecture if that avoids this authentication issue.

Thanks again for your help and guidance!
Sina Salam 25,761 Reputation points Volunteer Moderator

2025-10-24T00:05:05.7966667+00:00

Hi @Lightning Minds

Thanks for your feedback, it's good to know there is progress.

Since the App Registration is multi-tenant and the bot is showing as single-tenant, this discrepancy could lead to authentication issues. You will need to adjust the bot's registration to be multi-tenant.

‎

‎About the Token Acquisition, since you've confirmed that the it works and returns valid tokens, double-check the scopes of the tokens to ensure they include permissions necessary for sending messages.

‎

‎Also, the line of code you included for trusting the service URL is correct. Ensure that this line is executed before making any API calls that require the trusted service URL and if you're using Managed Identity, ensure that you have granted the necessary permissions in Azure for the bot to access other resources. Sometimes, Managed Identity may not have the same permissions as an App ID + secret.

‎

‎Regarding alternatives, Azure AI Foundry’s Agent Service could provide a more integrated solution, especially if it aligns with your architecture goals. However, be sure that it supports all the features you need and evaluate any potential migration complexities.

‎

‎With all you've done, these should resolve all:

‎1. App Registration and Bot Channel Registration should be configured with compatible tenant settings.

‎2. Check the token scopes to ensure they cover all required permissions for sending replies.

‎3. If you're on the latest SDK (v4.15+), stay updated with any new releases or patches that may address known issues.

‎

‎Success.

‎
Podduturi, Snigdha Reddy 0 Reputation points

2025-10-24T20:17:07.1766667+00:00

Hi @Sina Salam

Thanks for the detailed breakdown, this really helps clarify the direction.

Given the complexity and recurring challenges with the current setup, I’m considering continuing with the Azure AI Foundry Agent Service approach instead. It seems like a better long-term fit for our architecture and may simplify the identity and authentication flow.

If you happen to have any leads, documentation, or best practices on how to get started with integrating the Agent Service with the Bot Service, that would be really helpful.

I’d like to keep this thread open for now, just in case any follow-ups or updates come up while testing this path.

Thank you!

Share via

AI Agent deployed on App Service returns “Operation returned an invalid status code 'Unauthorized'” when replying through Azure Bot Service

1 answer

Your answer